[Dshield] Probing for catch alls.

Al Reust areust at comcast.net
Sat Jun 25 00:21:23 GMT 2005


Joshua

Many would have "opinions" about what you just stated. There is a lot to 
say and by your question you are just learning. So without writing a book, 
or telling you are in the incorrect list. The short story (not all inclusive).

It could be that it is a "SPAM List holder," is verifying email addresses. 
IF this is the case, then you could expect a fresh pile of SPAM as your 
"live email address" was verified (not rejected). You are about to be "sold."

You may have partially checked to see if the IP addresses in the headers 
may have been a Legit mail server (owned obviously) which is collecting 
NDR's. Or not...

More below....

At 11:22 AM 6/24/2005 -0700, you wrote:
>Hi All,
>
>I've been getting what appears to be probes for catch alls to both
>personal and business domains.  I'm sure it's just some jerk spammer, but
>was wondering why they'd want to know.

The question would be how many real domains (you mentioned) received the 
"same" email? DID you examine the Headers in all those duplicate messages? 
They tell a lot... "Commonalities," but you have to dig.

>Basically the Subject is "hi" or "how are ya?" and the body is along the
>lines of "hey, just checkin in on ya" or "hey, how ya been? long time no
>see".

For the average user it would appear as a mis-typed/mis-sent message. The 
user would only know, if they did something like "reply."

Something like, I am sorry do I know You? You sent me this message and I do 
not know you.

You can see what they just did. You told them they have a live target. They 
have either generated something the MTA will reject as a non valid user 
(forged domain), or sent a collectable message to a SPAM List 
collector.  If it was truly a bogus email address they would get a "No Such 
User message (depending on who runs the mail server)." Otherwise nothing 
would happen and the "user" would forget the incident. They would be logged 
with a valid email address and/or a valid IP/Domain.

The best thing to do is have a User report it and an then put in the trash 
after the admin has examined it.

> >From address is RANDOMNUMBERS_gibberish at forgeddomain.com.

So if it is forgeddomain.com, did you look to see if it actually answers on 
port 25. Did you (from a shell/command prompt) do a simple NSLOOKUP and 
then set type=MX and type in the Domain Name(s)? The Primary DNS server you 
connect to will tell you if it is "Real" (yes there are a few exceptions). 
and/or telnet IP address port 25 to compare the forged IP/real IP's?

>Is this something I should be concerned about?  Should I expect a spam
>wave soon?  Just curious if anyone had any insight on this.

A Lot of mail administrators, do not reply that "user" is 
non-existent,  There a couple of reasons that various people would tell 
you. IF the user does not exist and you return the mail to a forged domain 
it potentially starts a loop... Depending on the settings in the mail 
server you get a reply that user 1296574393 at forged domain.com does not 
exist. If the mail administrators does not have settings correct then his 
mail server bounces the message and you can have a round robin of "email 
server to mail server" messages that just keep going.

Most mail administrators tell it to "not reply" and "go to the trash"... 
They get a message that it happened but that is about it.

>Kind regards,
>
>-Joshua

If you get one, feed it to your SPAM filter and tell it you do not want to 
see them anymore. Are you targeted, very likely. Can you do anything about 
it? NO Please do not lick on any link at the bottom called "Remove Me." Let 
them "guess" do not tell them that you are a Live Email target/address..

There you have a Top Posted, Quoted and Bottom Posted all in one email. LOL 
Best of all worlds.

Have a "great" weekend All.

R/

Al






More information about the list mailing list